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SYSTEM AND METHOD FOR noiogies presently available today and to integrate with new 

AUTHENTICATING USERS IN A technologies in the future without requiring changes to the 

COMPUTER NETWORK applications. The HA-API specification provides a set of 

standard program names and functions that enable various 
RELATED APPLICATIONS 5 biometric technologies to be implemented easily into appli- 

cation programs for network user identification and authen- 
This application is related to and claims priority from tication. It is foreseen that HA-API will be used both by 
Provisional Application No. 60/091,824, filed Jul. 6, 1998, application/product developers who wish to integrate bio- 
which is incorporated herein by reference. metric technology into their applications as well as by 

This application is related to patent application Ser. No. 10 biometric vendors who wish to adapt their technologies for 
09/285,028, filed Apr. 1, 1999, which claims priority from use within open system application environments. 
Provisional Application No. 60/080,319, filed Apr. 1, 1998, FIG. 1 is a block diagram illustrating the architecture of 
both of which are incorporated herein by reference. HA-API. HA-API provides two interfaces. The first inter- 

face is an application API 101 consisting of functions 103 to 
FIELD OF THE INVENTION determine which biometric technology (finger image, voice, 

, 15 facial image, etc.) is available to the application 10 and a set 
Ihc present invention relates to security systems and of functions 105 lo authen ticate a user's identiiy via any of 
methods for controlling access to computers. tfae available technologies. The HA-API authentication 

BACKGROUND INFORMATION functions 105 hide the unique characteristic of each biomet- 

ric from the application 10. The second interface is a 
Ihe WINDOWS NT operating system (or "WINDOWS 20 Biometric Service Provider (BSP) Interface 111 which pro- 
NT*) from Microsoft Corporation of Redmond, Washington vides a common interface for biometric technology provid- 
provides a set of windowed utilities that allows easy setup- ers to "plug- in" their unique modules 150. BSP modules 150 
and administration of a security system. The WINDOWS contain the capture, extraction (converting biometric fea- 
NT operating system itself is secure and makes its security tures into a digital representation called a Biometric Iden- 
system available to all applications through a standard 25 tifier Record), and matching capabilities of a biometric 
Win32 security API. vendor. 

An important aspect of the WINDOWS NT security The full text of the Human Authentication API has been 
system is that it is user-centric. Each line of code that published by the Biometric Consortium (available at 
attempts to access a secure object (file, printer, pipe, service, www.biometrics.org). 

etc.) must be associated^ i particular user. A user must 30 SUMMARY OF THE INVENTION 

identify himself to WINDOWS NT using a user ID and a 

password, via a log-on function. Each security check is Th e present invention provides a rule based biometric 
made against the user's identification. user authentication method and system in a computer net- 

As a result, it is not possible, for example, to write code „ * ork environment. Multiple authentication rules can exist in 
that prevents an application (e.g., Microsoft EXCEL) that is 35 the computer network. For example, there may be a default 
running under WINDOWS NT from accessing an object. system-wide rule, and a rule associated with >a particular user 
For instance, an object can be secured against access from '^g to log in. There may be other rules such as one 
user Joe running EXCEL, but if user Carla is allowed to associated with a remote computer from which the user is 
access the object, she can do so using EXCEL or any other , n Egging «, one associated with a group to which the user 
application. All Carla has to do is identify herself to WIN- 40 b ,? lon g s > or one associated with a system resource to which 
DOWS NT using her password. < he "J*" requires access such as an application program or a 

„ it - iL hhk^aiijp vit database of confidential information. An order ot precedence 

Thus the entire validity of the WINDOWS NT security ^ ^ ^ ^ established which is used to 

system is based on accurate identification of the user. authenticate the user 

WINDOWS NT user authentication is based on user IDs and 4 « _ 4 .- , , . 

j r\ j ■ ■ i J In operation, a user identification such as a password is 

passwords. Once a password is compromised, a general , t r , . , . , , *. , 

collapse of the security system can occur. There is therefore received , If m authentication rule associated with the user 
a need for a capability that adds a second factor to password- 6Xlsts > ^ system according to the present invention authen- 
based authentication mechanisms such as that of WIN- ttcates m , e "7 th .. 1 ^ Kd ^ 10me , tac ^"nation and a 
DOWS NT. Such a capability should also ensure robustness 50 previously stored biometnc mformation according to he 

. . t . , r J ^ authentication rule associated with the user. If not, the 

while improving end-user convenience. , , ... j l * * • 

. , . .... system authenticates the user with the captured biometnc 

Not only do passwords present a security risk they are mformalion and me previously stored biometric information 
also costly to administer. To provide an acceptable level of accordin to a lem defalllt m]c . In that embodiment, the 
security, it is not uncommon to require changing corporate ^ ^ has a M hef dence „„„ the tem default 
users' passwords every 30 to 60 days. This is not only an 55 j 
annoyance to the user, it is a major resource drain on system 

administrators. Surveys have shown that over 50% of the BRIEF DESCRIPTION OF THE DRAWINGS 

calls received by internal corporate hotlines are password piG. 1 is a block diagram of the architecture of the Human 
related. Adding to this the lost productivity of professional Authentication API (HA-API. 

office workers' trying to figure out what their correct current 60 FIG 2 i s a block diagram of an exemplary system in 
password is, or requesting to be reinstated on the network, accordance with the present invention, 
leads to an estimated annual cost of maintaining passwords FIG. 3 is a flow chart depicting an exemplary log-on 
of as high as $300 per user. process with the system of the present invention. 

Saflink Corporation, with funding from the U.S. Depart- nccpoiDnnw 
ment of Defense, has developed a Human Authentication 65 DETAILED DESCRIPTION 

application program interface (API), or HA-API, which FIG. 2 is a block diagram showing the various compo- 
allows applications to work with multiple biometric tech- nents in an exemplary system in accordance with the present 
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invention. The exemplary embodiment described operates in Second, the SAF Server 220 maintains a database 221 of 

conjunction with the WINDOWS NT operating system. Biometric Identifier Records (BIRs) for a plurality of reg- 

Although a WINDOWS NT-based embodiment is described, istered users. Each BIR contains biometric information for 

the system of the present invention is applicable to a wide a user, preferably in accordance with the HA- API specifi- 

variety of operating systems. s cation. Each registered BIR is associated in the database 221 

An exemplary embodiment of a system in accordance with the corresponding user's userlD and password. The 
with the present invention includes a plurality of software SAF Server 220 verifies the BIR of a user attempting to 
modules: a Graphical Identification and Authentication log-on. Biometric matching is performed at the SAF Server 
(GINA) DLL 255; SAF Server 220; SAF/NT VF Sub- 220 - provides the strongest identification and authen- 
authentication filter 213; extensions to WINDOWS NT User W tication possible since the server is typically physically 
Manager 240 and Server Manager 260; and SAF Transaction secured. Since it is not practical in most networks to 
Client 275. In addition, a modified WINDOWS 95/98 Net- physically secure client workstations, other biometric log-m 
work Provider may be included for WINDOWS 95/98 solutions that perform the biometric match at the remote 
installations. These modules can be installed as an add-on or client workstations are more vulnerable to a determined 
over-pack to the basic WINDOWS NT operating system. 15 hacker attempting to circumvent the authentication process. 
Once Microsoft's standard products, such as WINDOWS The SAF Server 220 supports multiple biometric types 
NT Client 250, WINDOWS NT Server, and SQL Server (e.g. fingerprint, voice print, facial shape, etc.) and multiple 
have been installed on a computer system, the aforemen- vendor technologies for each biometric type. A system 
tioned modules of the system of the present invention can be administrator can set the primary biometric type and tech- 
installed, 20 nology for each user. At authentication time, the primary 

Hie GINA DLL 255 is the portion of the WINDOWS NT biometric type and technology are compared with the client 

client 250 that challenges a user for their userlD, domain, workstation's capabilities. If the workstation does not have 

and password. As part of SAF/NT, the GINA DLL 255 is the necessary resources to capture the primary biometric, the 

modified to include biometric identification in accordance user can be optionally challenged for a password, 

with the present invention. The modified GINA DLL 255 25 The SAF Server 220 also maintains the state of all 

preferably can be invoked with the same key sequence (e.g., workstations in the domain, logs failed verification requests 

CTRL+ALT+DEL) used to invoke the standard GINA DLL. in the NT security log and logs system administrator access 

The modified GINA DLL 255 communicates with the in & & NT security log. 

SAF Server 220 (described below) to determine the state of 3Q In the exemplary embodiment, communications between 

the workstation, to query the registration status of a user, and client workstations and the SAF Server 220 is via Remote 

to verify the user's BIR. The GINA DLL 255 also commu- Procedure Calls (RPC) and is encrypted. Adifferent encryp- 

nicates with the NT security subsystem 211 to log a user tion key is used for each session between a client and the 

onto a workstation or domain controller 210. server. If a strong encryption version of the WINDOWS NT 

The modified GINA DLL 255 may also preferably pro- 35 operating system is used, 128-bit keys are generated, 

vide a secure screen saver capability that locks a worksta- Multiple SAF Servers can be configured using the repli- 

tion's keyboard and hides information displayed on the cation services of SQL Server and Microsoft's Cluster 

video monitor during a user's absence from the workstation. Server (Wolfpack). The SAF Servers) can be located on a 

Upon return, only the user's biometric is required to unlock domain controller, back-up domain controller, or on separate 

a biometrically enabled workstation. If a password-only user 40 physical servers. This provides for scalability and resiliency 

is logged on to a biometrically enabled workstation, then the of the SAF Server in large networks, 

user's password will unlock the workstation. The screen The SAF Server facilitates centralized management of 

saver can be invoked manually through a key sequence or user identification and authentication and also makes it easy 

via a configurable time-out value. to integrate additional biometric identification application 

The SAF/NT Windows 95/98 Network Provider delivers 45 modules in the future. All user information can be stored in 

the same functionality as the GINA DLL for domain log-ons a database, such as a Microsoft SQL Server database, using 

from a WINDOWS 95/98 workstation. Since WINDOWS encryption, such as RSA's RC4 encryption. 

95/98 does not support the same level of security for the Extensions to WINDOWS NT's standard User Manager 

client workstation as does WIDOWS NT, biometric authen- and Server Manager provide enrollment and maintenance 

tication is supported for domain log-ons only. 50 functions used by a systems administrator to register 

The SAF Server 220 performs several functions. First, the userlDs, passwords, BIRs, and workstation information into 
SAF Server 220 responds to requests from the GINA DLL the SAF Server's database. The extensions also allow a 
255 to query the registration status of a user with a command systems administrator to delete a user, query a user's status, 
to capture the appropriate biometric or password. A user can delete a workstation entry, and change the state of a work- 
have multiple biometrics registered (fingerprint, voice print, 55 station. The extended User Manager 240 and Server Man- 
facial shape, etc.), with one biometric designated as primary. a S er 260 can communicate with the SAF Server 220 using 
The primary biometric for a user is the biometric the user NT RPC. All data is encrypted. 

would normally be challenged for if the workstation sup- FIG. 3 shows a flow chart of an exemplary log-on process 

ports the capture device. If the workstation does not support in accordance with the present invention, 

the user's primary biometric (e.g., fingerprint) but does 60 At step 301, a user invokes the log-on process, such as by 

support a secondary biometric for which the user is regis- pressing the standard WINDOWS NT key sequence Ctrl/ 

tered (e.g., voice), the SAF Server 220 will command the Alt/Del. At step 303, the user enters hisuserlD and domain. 

GINA DLL 255 to capture the secondary biometric. As such, If it is determined at step 305 that the user's BIR is 

the SAF Server 220 controls the biometric capture procedure registered, the user is challenged at step 307 for his biomet- 

in accordance with the user's biometric status as well the 65 ric features (e.g., finger image, voice, facial image, etc.) If 

biometric capabilities of the workstation by which the user it is determined at step 305 that there is no registered BIR for 

seeks access. the user, the user is challenged at step 309 for his password. 
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Log-on will then occur, ai 311, using standard WINDOWS effective, information security must adapt to business needs, 

NT password authentication. enable business processes, and become an integral compo- 

At step 307, the user is challenged to provide a biometric nenl of business systems, 

input for capture by the system. This procedure can be As the world shifts from an industrial economy to one 

carried out with the assistance of a biometric capture wizard s based on information, key new technologies led by the 

displayed on the computer. Once challenged for a biometric, Internet are enabling a business revolution where people and 

the user follows the instructions of the biometric capture businesses are interacting in new and exciting ways. The 

wizard. Each type of biometric requires the user to follow a ability to make information accessible from anywhere in the 

different set of instructions such as placing a finger on a world that has an Internet connection and a browser has been 

scanner for finger image, speaking a phrase into a micro- 10 a catalyst for a whole new breed of business applications, 

phone for voice recognition, or facing a camera for facial Internet based enterprise network applications that provide a 

authentication. The biometric is captured at step 313. consistent view of a company and its services, enable better 

At step 315, the modified GINA DLL creates a BIR from communication both inside the company and between the 

the captured biometric and sends the BIR with the userlD to company and its partners, suppliers, and customers. They 

the SAF Server for verification. The SAF/NT Verification 15 provide a strategic competitive advantage on both the top 

Server 222 retrieves the user's record and compares the BIR and bottom lines. 

submitted by the user to the BIR stored in the database 221. Security is a principle enable r of the information-based 

The comparison of BIRs is carried out using a HA- API economy, allowing for the creation of the virtual corporation 

compliant Biometric Service Provider (BSP) module 225 for and the migration of business applications to Internet based 

the given biometric. Such modules are available, for 20 enterprise network applications. Today, the distinction 

example, from Visionics (for face image), ITT (voice) and between the "good secure" internal network and the "bad 

Cogent (fingerprint). At step 317, the SAF/NT Verification insecure" external network is no longer valid. Companies 

Server makes a yes/no decision and returns this decision to must not only protect the perimeter and interior of their 

the user's workstation. network, but also the data and applications used to run the 

If the verification server 222 verifies that the user is 25 business in a global information anytime, anywhere envi- 

authorized to log on, the server will retrieve the user's ronment. 

password from the database 221 and send the user's pass- Internet-based enterprise network applications require 

word back to the workstation where the log-on will be security solutions for implementing business policies. Each 

completed, at step 319, via the GINA DLL 255. The comple- 3Q organization has to establish and enforce policies covering 

tion of the log -on procedure is transparent to the user. If the when and how users are identified before accessing propri- 

verification server decides that the user is not authorized, at etary information. At Saflink Corporation, an assignee of the 

step 321 the user will be denied access and an "access present application, it has developed a software called 

denied" message will be displayed on the screen, SAFsite that delivers a next-generation identification and 

Additionally, at step 323, the failed verification will be 35 authentication (I&A) solution which lets organizations 

logged, such as in the WINDOWS NT security log. enforce their business policies securely. In developing the 

A SAF/NT Validity Flag Sub -authentication filter 213 is SAFsite product, Saflink began by designing a base archi- 

oplionally installed on the domain controller 210. The filter tecture for an enterprise network solution. The resulting 

213 communicates with the SAF Server 220 to check the multi-biometric I&A framework is network-centric, and 

status of a user's validity flag whenever an authorization 40 features a central SAF Server that may be shared by all Web 

request for that user is received by the domain controller applications. This facilitates centralized management of user 

210. Validity flags are used to determine whether users identification and authentication and also makes it easy to 

attempting to log-on were recently authenticated by the SAF integrate additional application modules as time goes on. 

Server 220 within some preselected time interval (e.g., .1-2 SAFsite is HA-API compliant (a recognized industry 

seconds) prior to being authenticated by the standard pass- 45 standard) supporting multiple biometrics, affording users 

word security system 211. If a user attempting to log-on was maximum flexibility and choice. 

not recently authenticated by the SAF Server 220, that SAFsite provides biometric-based identification and 

indicates that the user wrongfully by-passed the SAF/NT authentication of Web site administrators and end-users with 

biometric authentication system. The combination of the access privileges to protected Web information. It is built on 

workstation state and the validity flag prevents a person 50 the proven SAF architecture, supporting multiple 

from disabling the biometric capture hardware on a work- biometrics, and is integrated with the other members of the 

station in an attempt to bypass the biometric authentication SAF family. 

process and use a password only. The validity flag contains SAFsite delivers the most positive form of user identifi- 

a time stamp. 5 cation and authentication. A comprehensive data security 

A SAF Transaction Client 275 allows a custom applica- 55 plan includes a number of elements — encryption, access 

tion 270 to verify a user's identity via the SAF Server 220, control hierarchies, security policies, physical security of 

subsequent to a successful logon. The identification can be data servers, etc. But the cornerstone of any sound enterprise 

of the currently logged -on user or another user who is security plan is user l&A. Without uncompromising I&A, 

enrolled in the SAF database. A supervisory override on a other elements of the security solution are jeopardized. And, 

transaction is an example of a situation in which another user go nowhere in an enterprise network is user identity more in 

would be identified. question than on the Internet. 

At a time when "hacker contests" result in mainframe SAFsite is a software development kit which allows 

security breaches at the Pentagon and other government multi-biometric based I&A to be integrated into enterprise 

agencies, the need for a comprehensive data security plan network applications designed for the Internet built with 

has never been greater. Managing information security is 65 leading rapid application development tools such as Ever- 

now a major enterprise challenge, as applications evolve to ware Development Corporation's Tango, Allaire's Cold 

run over a mix of public and private networks. To be Fusion, NetObject's Fusion, Microsoft's Visual InterDev, 
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HAHTSite, and NetDynamic's Enterprise Network Appli- 
cation Platform. 

Each user whether a Web site administrator, employee, or 
customer attempting to access protected, proprietary infor- 
mation is biometrically authenticated by SAFsite prior to 
gaining access permission. When a user attempts to access 
a protected Web page, SAFsite challenges the user for their 
userlD. For a user who belongs to a group, the userlD may 
include a primary key that identifies the group and a sec- 
ondary key that identifies the user within that group. The 
keys may be typed in by the user, or automatically generated 
by, for example, the swipe of an employee ID card through 
a card reader. Based on a set of enterprise security policies 
SAFsite then challenges the user for the appropriate bio- 
metric credentials, such as finger-image, voice print, or 
facial image. The user's biometric is captured, individual 
characteristics are extracted from the biometric, and a digital 
representation of the characteristics are sent to the SAF 
Server 220 for authentication. SAFsite supports both 
Microsoft's Internet Explorer and Netscape Communicator 
browsers. 

The SAF Server 220 maintains a database 221 of all users 
and their biometric credentials. Biometric matching is per- 
formed at the trusted SAF Server 220. This provides the 
strongest identification and authentication possible since the 
server is typically physically secured. Since it is not practical 
in most networks to physically secure client workstations, 
other biometric log-in solutions that perform the biometric 
match at the remote client workstation are more vulnerable 
to a determined hacker attempting to circumvent the authen- 
tication process. 

All user information is stored in the Microsoft SQLServer 
database using RSA's RC4 encryption. In its current 
implementation, SAFsite requires the customer to purchase 
one of the versions of Microsoft SQL Server (workstation or 
server) or the Microsoft Back Office suite. The communi- 
cations between the browser's biometric ActiveX control or 
plug-in and the SAF Server is via Secure Sockets Layer. 
Communication between a Web application and the SAF' 
Server is via Remote Procedure Calls (RPC) and is 
encrypted. If a strong encryption version of the Windows NT 
operating system is used, 128 bit keys are generated. 

Scalability and resiliency of the SAF Server in large 
networks is provided for through the ability to configure 
multiple SAF Servers using SQL Server replication services 
and Microsoft's Cluster Server (Wolfpack). The SAF Server 
(s) can be located physically on a Web server or on separate 
physical servers. 

As an overview of the SAFsite architecture, it provides a 
foundation for user-based, multiple biometric identity 
authentication for Web based enterprise network applica- 
tions. It can be used as is, or extended to provide a powerful, 
yet flexible password replacement or augmentation mecha- 
nism. 

SAFsite includes three main components: browser bio- 
metric extensions, the authentication client library, and the 
SAF Server. The first component, browser biometric 
extensions, includes a Microsoft Internet Explorer active -X 
control and a Navigator Communicator "plug-in" that cap- 
ture an individual's user-ID and biometric information, such 
as finger print facial shape, or voice print. The browser 
biometric extensions provide biometric capture for both 
enrollment and authentication. They interface with a 
HA- API Biometric Service Provider module (see HA- API 
specification for details). 

Tbe first component, browser biometric extensions, com- 
municates with the Web application via Secure Sockets 
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Layer and all data is encrypted. The Web application also 
interfaces to the authentication client library. The authenti- 
cation client library provides an interface for communicating 
to the SAF Server. All data buffering and session manage- 

5 ment between the browser extensions and the authentication 
client library is the responsibility of the Web application. 

The third component is the SAF Server that accepts 
requests from multiple clients. The SAF Server communi- 
cates directly with an encrypted database that maintains user 

10 information. This information includes user name, biometric 
records for each user, authentication rule, and additional 
application specific data such as encrypted password or key 
for another data table. Primary and secondary keys are 
maintained for those users who belong to a group. This 

]S would allow for the authentication server to be extended to 
support 1 to few searching, based on the secondary key. That 
is, the biometric record of the user is compared against those 
of the group members. The components of the server can 
exist on a single machine, or can reside on multiple 

2Q machines, taking advantage of distributed object architec- 
tures such as DCOM or CORBA, which would handle load 
balancing and referral services for the server. Communica- 
tion between the client and server is via Secure RPC, using 
the strongest encryption available on the data being sent. 

25 According to a preferred embodiment of the present 
invention, SAF Server authentication employs a rule-based, 
multiple biometric solution. Rule -based authentication 
allows for a powerful, yet extremely flexible mechanism for 
identifying users. It also allows for the combinations of 

30 multiple biometrics to be mixed to offer strong authentica- 
tion. Rules can be as simple as logging on with a single 
biometric, or can be as complex as specifying multiple 
authentication paths, depending on time-of-day, security 
level, applicable biometric success, and reasonable false 

35 accept/reject levels. A hierarchy of rules precedence is also 
maintained. 

Rule based biometric authentication is the notion of 
authenticating a user based on a variety of rules which 
specify different actions to take depending on the parameters 

40 specified by the rule. Parameters may include time of day, 
security level, success/failure of a specific biometric, or false 
accept/reject levels. Additional parameters can be specified 
by an application to suit particular authentication needs. 
Examples of a rule may be "use a fingerprint or facial 

45 biometric information for authentication during business 
hours", "use a combination of fingerprint and facial biomet- 
ric information during non-business hours and authenticate 
the user only when the confidence level of the match is 
above 90%", or "authenticate a user using any biometric 

50 information with a confidence level of at least 95%". 

Multiple rules can exist inside the entire client/server 
world. Therefore an order of precedence is defined. By 
default, a system wide rule is defined. This rule has the 
lowest of precedence and may be as simple as a single 

55 biometric authentication such as "use a fingerprint biometric 
information for authentication". If secondary keys are used 
in the authentication database, a primary key can have a rule 
associated with it. For example, for access to a joint account 
in an Internet banking application software, a user may have 

60 a primary key associated with the account such as the main 
account number and a secondary key associated with the 
user himself such as his own sub-account number or a Social 
Security number. This allows for group based rules. This 
group-based rule has precedence over the system default 

65 rule. A particular user (identified by a unique primary and 
secondary key combination) can have an associated authen- 
tication rule. This authentication rule has precedence over 
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the group and system default rules. Additional rules to 
handle workstation (if available) and object can be added to 
extend the architecture. Their precedence would be work- 
station over user, object over workstation. As persons of 
ordinary skill in the art can appreciate, an object is anything 5 
that needs to be secured against unauthorized access. For 
example, an object can an application program such as an 
Internet banking program or any computer resource such as 
a storage device that stores confidential data. As an exem- 
plary case, the following provides an order of precedence: 10 

1. Use the rule associated with an object if available else, 

2. Use the rule associated with a workstation from which a 
user is trying to log on if available else, 

3. Use the rule associated with the user else, 

4. If primary and secondary keys are used, Use the rule for 15 
a primary key (group) if available else, 

5. Use the system default rule. 

The third component of SAFsite, authentication client 
library, provides the functionality needed to create, maintain 
and authenticate against a secured, multiple biometric user 20 
database. This functionality includes authentication as well 
as typical database requests: add, delete, update and query. 
To support rule -based authentication, the client library also 
provides functions for creating and maintaining rules. 

The following exemplary functions are included in the 25 
library: 

Authenticate( ) — The authenticate function provides a 
single function call verifying a users identity. The server 
performs authentication based upon the stored rule. 
Additionally, an overriding rule can be specified by the user, 30 
which would allow for object based authentication. The 
function is wholly responsible for prompting the user for all 
of the required interaction for capturing the biometrics 
specified in the rule. Authenticate can also return the user 
data if requested. This function will perform a 1 to few 35 
match if a primary and secondary key exists in the database 
and the authenticate function is only called with a primary 
key (thus enabling group searching). 

Add( ) — The add function inserts a user into the Authen- 
tication database. A primary key, a secondary key (if 40 
available) biometric data and user specific data can be 
added. 

Delete( ) — The delete function removes a record from the 
Authentication database based upon primary (and secondary 
if available) key. 45 

Update( ) — The update function refreshes the data found 
in the Authentication database for a particular primary (and 
secondary if available) key. 

Query( ) — The query function retrieves the current data 
for a particular primary (and secondary if available) key. The 50 
query function can be used for retrieving the authentication 
rule as well. Any Web application that requires biometric 
authentication can take advantage of the authentication 
client library. 

The SAF Server 220 provides the actual mechanism for 55 
storing biometric data and authenticating against that data. It 
accepts requests from multiple clients who desire authenti- 
cation. Upon receiving a request for authentication, the 
server performs the particular match based upon a specified 
biometric. The specification of this biometric is dictated by 60 
the client Authenticate( ) function as it processes the authen- 
tication rule. If there are any factors to be used for matching 
(i.e. false accept/reject rates, security level, etc), the server 
takes them into account before returning a TRUE/FALSE 
answer to the client. The SAF Server supports primary and 65 
secondary keys, and can be configured to handle either. 
Using secondary keys can allow for the creation of groups 
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and can facilitate group wide authentication searches and 
group wide rules. 

The SAF Server 220 also accepts requests for database 
maintenance. These requests are issued by a client and 
include Add, Delete, Update and Query. 

In its simplest form, the SAF Server 220 is a single server 
containing the code responsible for authenticating, as well as 
database maintenance. The database also resides on this 
machine (See FIG. 2). Since the SAF Server supports 
distributed objects, the pieces of the server could lie on 
multiple machines, thereby distributing the workload and 
allowing for higher performance, scalability and load bal- 
ancing. In this scheme, the database can also reside on a 
separate machine. There are multiple methods for accom- 
plishing this task. First each client can have specific knowl- 
edge of the location of each piece of the server and its 
appropriate task. The client is responsible for routing the 
different requests to the appropriate servers. In distributed 
object architectures, like DCOM, this routing is handled for 
the client, requiring no additional code. Unfortunately, while 
distributed, this method doesn't offer much in the way of 
load balancing. A second approach relies upon a referral 
object that initially accepts all of the requests from the client. 
This referral object can maintain information about server 
load, network topology between client and servers, and 
statistics about past demands of a given user. Given this 
information, when the client connects to the referral server, 
it is directed to most appropriate server to accomplish the 
requested tasks. The SAF Server can be configured to 
support all of these architectures. 

Depending on application requirements, the Authentica- 
tion Server can be extended to include additional informa- 
tion. For example, this information may include workstation 
information (authentication rule for the workstation, work- 
station enabled or disabled, etc.). 

The foregoing specific embodiments represent just some 
of the ways of practicing the present invention. Many other 
embodiments are possible within the spirit of the invention. 
For example, although many aspects of the invention were 
described in the Internet environment, they may be operated 
in any computer network environment. Accordingly, the 
scope of the invention is not limited to the foregoing 
specification, but instead is given by the appended claims 
along with their full range of equivalents 

What is claimed is: 

1. A method of controlling access in a computer network 
environment comprising the steps of: 

(a) receiving a user identification of a user; 

(b) determining whether there exists an authentication 
rule associated with the user; 

(c) prompting the user to provide biometric information 
according to the authentication rule associated with the 
user if it is determined that the authentication rule 
associated with the user exists; 

(d) prompting the user to provide biometric information 
according to a system default authentication rule if it is 
determined that the authentication rule associated with 
the user does not exist; 

(e) capturing the biometric information; 

(f) retrieving a stored biometric information associated 
with the user identification; 

(g) comparing the captured biometric information with 
the retrieved biometric information; and 

(h) completing a log-on procedure if the captured bio- 
metric information corresponds to the retrieved bio- 
metric information. 
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2. The method of claim 1, prior to step (b), further 
comprising the steps of: 

determining whether there exists an authentication rule 
associated with a remote computer from which the user 
is logging on; 

prompting the user to provide biometric information 
according to the authentication rule associated with the 
remote computer if it is determined that the authenti- 
cation rule associated with the remote computer exists. 

3. The method of claim 1, prior to step (b), further 
comprising the steps of: 

determining whether there exists an authentication rule 
associated with an object to which the user is being 
authenticated for access; 

prompting the user to provide biometric information 
according to the authentication rule associated with the 
object if it is determined that the authentication rule 
associated with the object exists. 

4. The method of claim 1, after step (c) and prior to step 
(d), further comprising the steps of: 

determining whether there exists an authentication rule 
associated with a group to which the user belongs; 

requesting the user to provide biometric information 
according to the authentication rule associated with the 
group if it is determined that the authentication rule 
associated with the group exists; 

wherein step (d) includes prompting the user to provide 
biometric information according to the system default 
authentication rule if it is determined that both the 
authentication rule associated with the user and the 
authentication rule associated with the group do not 
exist. 

5. The method of claim 1, further comprising the steps of: 
determining whether there exists an authentication rule 

associated with an object to which the user is being 
authenticated for access; 

requesting the user to provide biometric inform atioD 
according to the authentication rule associated with the 
object if it is determined that the authentication rule 
associated with the object exists; 

determining whether there exists an authentication rule 
associated with a remote computer from which the user 
is logging on if the authentication rule associated with 
the object to which the user is being authenticated for 
access does not exist; 

requesting the user to provide biometric information 
according to the authentication rule associated with the 
remote computer if it is determined that the authenti- 
cation rule associated with the remote computer exists; 

wherein step (b) includes determining whether there 
exists an authentication rule associated with the user if 
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the authentication rule associated with the remote com- 
puter does not exist; 

determining whether there exists an authentication rule 
associated with a group to which the user belongs if it 
is determined that the authentication rule associated 
with the user does not exist; 

requesting the user to provide biometric information 
according to the authentication rule associated with the 
group if it is determined that the authentication rule 
associated with the group exists; 

wherein step (d) includes prompting the user to provide 
biometric information according to the system default 
authentication rule if it is determined that both the 
authentication rule associated with the user and the 
authentication rule associated with the group do not 
exist. 

6. The method of claim 1, wherein the biometric infor- 
mation includes information relating to one or more of a 
finger, hand, face, voice and signature of the user. 

7. The method of claim 1, wherein the rule includes a 
parameter that specifies which type of biometric information 
reading devices is allowable for authentication. 

8. The method of claim 1, wherein the rule includes a 
parameter that specifies the confidence level of a match 
between the captured biometric information and the 
retrieved biometric information. 

9. A method of controlling access in a computer network 
environment comprising the steps of: 

(a) receiving a user identification of a user; 

(b) determining whether there exists an authentication 
rule associated with the user; 

(c) authenticating the user with a captured biometric 
information and a previously stored biometric informa- 
tion according to the authentication rule associated with 
the user if it is determined that the authentication rule 
associated with the user exists; and 

(d) authenticating the user with the captured biometric 
information and (he previously stored biometric infor- 
mation according to a system default authentication 
rule if it is determined that the authentication rule 
associated with the user does not exist. 

10. The method of claim 9, prior to step (b), further 
comprising the steps of: 

determining whether there exists an authentication rule 
associated with a remote computer from which the user 
is logging on; 

authenticating the user with the captured biometric infor- 
mation and the previously stored biometric information 
according to the authentication rule associated with the 
remote computer if it is determined that the authenti- 
cation rule associated with the remote computer exists. 
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